Countries around the world are scrambling to create contact-tracing apps that will help track the spread of COVID-19. But a beta app launched by the UK this week shows the huge challenges they face and, crucially, the difficulty in designing an effective app without the help of the tech giants that make our phones.
The UK is one of the few countries that has chosen to create a contact-tracing app that is incompatible with the contact-tracing API currently being developed by Google and Apple. Instead of decentralizing the data across devices, the UK will pool the information it collects in a single database operated by the National Health Service, or NHS.
The government argues this will provide greater insight into the spread of COVID-19 and allow the NHS to decide which users are most at risk. Privacy advocates, though, warn it creates new avenues for state surveillance. Already, the UK government appears to have undermined prior assurances that it won’t share the data it collects outside the NHS, suggesting other organizations might use the information for public health research in the future. This is something Apple and Google forbid for any app using their API, and another reason the UK has to build its app without the companies’ help.
But in addition to privacy issues, researchers have identified a major problem in the UK’s efforts to build an app without Google and Apple: it simply won’t work as advertised.
The core issue is one familiar to mobile security experts: app permissions. Contact-tracing apps use Bluetooth to create a log of nearby devices using the app, and, by extension, people with whom users have come into contact. When a user is diagnosed with COVID-19 or starts to show symptoms, they notify their app which then pings the devices of those people. Some apps, like the one built by Singapore, constantly broadcast Bluetooth pings to find nearby devices. Others, like the one built by the UK, try to create active Bluetooth pairings or “handshakes.”
The problem is that both Google and Apple restrict how apps can use Bluetooth in iOS and Android. They don’t allow developers to constantly broadcast Bluetooth signals, as that sort of background broadcast has been exploited in the past for targeted advertising. As The Register reports, iOS apps can only send Bluetooth signals when the app is running in the foreground. If your iPhone is locked or you’re not looking at the app, then there’s no signal. The latest versions of Android have similar restrictions, only allowing Bluetooth signals to be sent out for a few minutes after an app has closed. Such restrictions will block devices from pinging one another in close quarters, drastically reducing the effectiveness of any contact-tracing app.
Google and Apple can rewrite these rules for their own contact-tracing API because they control the operating systems. But for countries trying to go it alone, like the UK, the restrictions could literally be fatal. iPhone users with the app installed could interact with someone who is later diagnosed with COVID-19 and never know it, if their phone doesn’t keep a log of their interaction.
Similar concerns have been raised with Australia’s COVIDSafe app, which the country also launched without access to Google and Apple’s API. The video below shows the app only broadcasts Bluetooth signals when the app is in the foreground:
Because people seem interested here's some video of the COVIDSafe app failing on iPhone. It is literally impossible to broadcast the UUID needed for the app to work without the screen on and the app in the foreground. pic.twitter.com/X5lpyeKL1A— Joshua Byrd (@phocks) May 1, 2020
The UK government has implied it’s created some unknown workaround to these issues, and there certainly are subtleties in how these protocols operate that might work in its favor. For example, while iOS devices can’t broadcast Bluetooth signals constantly, they can receive them from older Android devices. Doing so would essentially wake up the software and allow the app to exchange vital data.
It’s possible to argue, then, that the UK app will work in urban environments where there are a mix of old and new iOS and Android devices constantly in use. But experts say this is a long way from a reliable mechanism necessary to trace the spread of a deadly disease, especially considering that the market share of iOS in the UK is more than 50 percent.
Speaking to The Verge, digital rights expert Michael Veale, who is also part of an international consortium developing decentralized contact-tracing protocols, says there really is no way to build a contract-tracing system without the help of Apple and Google, who he praised for working at “lightning speed” on the issue. “They’ve been moving much faster than we’d expect them to,” he said. “They’ve provided a unified way that works across borders [and] that lots of countries are using.”
But exactly how the UK’s problems will play out is impossible to predict. The beta contact-tracing app is only launching as a small pilot this week in the Isle of Wight, an island with a population of 141,000 off the south coast of England. The UK government still has time to tweak its functionality or switch to a decentralized system, just as Germany did last month. For as coronavirus has shown, although every country has to fight its own idiosyncratic battle with the virus, that doesn’t stop them learning from others.
“The alternative to working with [Google and Apple] is to create a system that doesn’t work on iPhones, that leads to centralized databases that destroy trust, and that doesn’t work across borders and so won’t help open up international travel,” says Veale. “This is the British problem.”
Update Wed, May 6th, 4:00AM ET: Updated the story to include similar issues with Australia’s COVIDSafe app and a video demonstrating the Bluetooth fault on iOS.